All administrators must belong to an admin group. The permissions and properties that you set for a group apply to the administrators that you assign to that group.
There are two types of admin groups:

• Superuser – Superuser admin groups provide their members with unlimited access and control of all the operations that an appliance performs. There is a default superuser admin group, called admin-group, with one superuser administrator, admin. You can add users to this default admin group and create additional admin groups with superuser privileges. Superusers can access the appliance through their console, GUI, and API. In addition, only superusers can create admin groups. The Master Grid superusers can manage permissions of all Master Grid objects and synchronized objects from all managed Grids.
• Limited-Access – Limited-access admin groups provide their members with read-only or read/write access to specific resources. These admin groups can access the appliance through the GUI, API, or both. They cannot access the appliance through the console.

All limited-access admin groups require either Read-only or Read/Write permission to access certain resources, such as IPv4 and IPv6 networks, to perform certain tasks. Therefore, when you create an admin group, you must specify which resources the group is authorized to access and their level of access.
Only superusers can create admin groups and define their administrative permissions. There are two ways to define the permissions of an admin group. You can create an admin group and assign permissions directly to the group, or you can create roles that contain permissions and assign the roles to an admin group.
Complete the following tasks to assign permissions directly to an admin group:

1. Create an admin group, as described in 19282574.
2. Assign permissions to the admin group, as described in /wiki/spaces/mgmadminguide/pages/911180974 Complete these tasks to assign admin roles to an admin group:
3. Create an admin role, as described in /wiki/spaces/mgmadminguide/pages/911180938
4. Define permissions for the newly created admin role, as described in /wiki/spaces/mgmadminguide/pages/911180938
5. Create an admin group and assign the role to the group, as described in 1928257419282574

After you have created admin groups and defined their administrative permissions, you can assign administrators to the group.

• For local admins, see /wiki/spaces/mgmadminguide/pages/911181006
• For remote admins, see /wiki/spaces/mgmadminguide/pages/911181019.

Creating Superuser Admin Group s

Superusers have unlimited access to the Master Grid. They can perform all the operations that the Master Grid provides. There are some operations, such as creating admin groups and roles, that only superusers can perform.
Note that there must always be one superuser admin account, called "admin", stored in the local database to ensure that at least one administrator can log in to the appliance in case the appliance loses connectivity to the remote admin databases such as RADIUS servers or AD domain controllers.
There is a default superuser admin group (admin-group). You can create additional superuser admin groups, as follows:

1. From the Administration tab, select the Administrators tab -> Groups tab, and then click the Add icon.
2. In the Add Admin Group wizard, complete the following:
   • Name: Enter a name for the admin group.
   • Comment: Enter useful information about the group, such as location or department.
   • Disable: Select this to retain an inactivated profile for this admin group in the configuration. For example, you may want to define a profile for recently hired administrators who have not yet started work. Then when they do start, you simply need to clear this checkbox to activate the profile.
3. Click Next and complete the following:
   • Superusers: Select this to grant the admin accounts that you assign to this group full authority to view and configure all types of data and perform all tasks.
4. Optionally, click Next to add extensible attributes to the admin group. For information, see /wiki/spaces/mgmadminguide/pages/911183727 /wiki/spaces/mgmadminguide/pages/911183727
5. Save the configuration.

You can do one of the following after you create a superuser admin group:

• Add local admins to the superuser group. For information, see /wiki/spaces/mgmadminguide/pages/911181006
• Assign the superuser group to remote admins. For information, see /wiki/spaces/mgmadminguide/pages/911181019.

Creating Limited-Access Admin Groups

When you create a limited-access admin group, you can assign roles to it. The group then inherits the permissions of its assigned roles. In addition, you can assign permissions directly to the group. Only superusers can create admin groups.
To create a limited-access admin group:

1. From the Administration tab, select the Administrators tab -> Groups tab, and then click the Add icon.
2. In the Add Admin Group wizard, complete the following:
   • Name: Enter a name for the admin group.
   • Comment: Enter useful information about the group, such as location or department.
   • Disable: Select this to retain an inactivated profile for this admin group in the configuration. For example, you may want to define a profile for recently hired administrators who have not yet started work. Then when they do start, you simply need to clear this checkbox to activate the profile.
3. Click Next and complete the following:
   • Superusers: Clear this checkbox to create a limited-access admin group.
   • Roles: Optionally, click the Add icon to add an admin role to the admin group. In the Role Selector dialog box, select the roles you want to assign to the admin group, and then click the Select icon. Use Shift+click and Ctrl+click to select multiple admin roles. You can assign up to 21 roles to an admin group. The appliance displays the selected roles in the list box.
     When an admin group is assigned multiple roles, the appliance applies the permissions to the group in the order the roles are listed. Therefore if there are overlapped permissions among the roles, the appliance uses the permission from the role that is listed first and ignores the others. You can reorder the list by selecting a role and clicking the arrow keys to move the role up and down the list. To delete a role, select it and click the Delete icon.
   • Allowed Interfaces: Specify whether the admin group can use the Multi-Grid Manager GUI and the API (application programming interface) to configure the appliance.
     • GUI: Select this to allow the admin group to use the GUI.
     • API: Select this to allow the admin group to use the API.
4. Optionally, click Next to add or delete extensible attributes for this admin group. For information, see /wiki/spaces/mgmadminguide/pages/911183727 /wiki/spaces/mgmadminguide/pages/911183727
5. Save the configuration.